______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

The link in the email leads to a malicious payload at [donotclick]http://paranoiknepjet.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on some IP addresses we have alreadyseen.

50.57.43.49
50.57.88.200
184.106.200.65
187.85.160.106

I can identify the following domains on those IPs, all of which can be considered to be malicious:

The link in the email actually goes through your.totalinternethost.com/bb.html before bouncing to accounts.craiglist.org.postifedelta.com/icons/crg/ - I'm guessing that the domains are legitimate but their domain admin account has been hacked.

The mail itself is "from" craigslists.org (i.e. more than one list) rather than craigslist.org which is a clue, and also the subject is mis-spelled as craiglist .. usually signs that something it going wrong (and a couple of things that you could block if you roll your own mail filters).

If you click through, then you get a convincing looking login page which is an exact copy of the real thing:

This is the fake one (click to enlarge):

Fill in the login details, and the fake page harvests them and sends you on to the REAL page (pictured below) which looks identical. Presumably, victims are meant to think that their login has failed in some way.

The catch? Both the real and fake pages have an identical warning:

WARNING: scammers may try to steal your account by sending an official-looking email with a link to a fake craigslist login page that looks like this page, hoping you'll type in your username and password.

example of valid craigslist address Look carefully at the web address near the top of your browser to make sure you are on the real craigslist login page, https://accounts.craigslist.org

The safest way to login is go to the craigslist homepage directly by typing in the web address, and then clicking on the 'my account' link.

Both fake and real pages even have a picture to show you what to look for:

On the fake page, the URL in the browser bar clearly does not match the one on the page. But how many people actually read it? Any sysadmin will tell you that there's a hard core of users who don't read or unstand warnings, and obviously there are enough of them to make this scam worthwhile.

Just for the record, these are the IPs in this particular phish:accounts.craiglist.org.postifedelta.com
116.12.52.25
Usonyx, Singapore